Allow certain characters to be immune for ESAPI encoder?











up vote
0
down vote

favorite












I am trying to incorporate the ESAPI encoder with my JavaEE application and want it to not encode a certain set of characters, for example '<', '!', '(', ')'.



I read on the documentation https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html that "all characters should be encoded, except for a specific list of "immune" characters".



I would like to know where and how I can configure this specific list of "immune" characters. Would it be in the ESAPI.properties file?










share|improve this question






















  • Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
    – avgvstvs
    Nov 24 at 1:22















up vote
0
down vote

favorite












I am trying to incorporate the ESAPI encoder with my JavaEE application and want it to not encode a certain set of characters, for example '<', '!', '(', ')'.



I read on the documentation https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html that "all characters should be encoded, except for a specific list of "immune" characters".



I would like to know where and how I can configure this specific list of "immune" characters. Would it be in the ESAPI.properties file?










share|improve this question






















  • Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
    – avgvstvs
    Nov 24 at 1:22













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I am trying to incorporate the ESAPI encoder with my JavaEE application and want it to not encode a certain set of characters, for example '<', '!', '(', ')'.



I read on the documentation https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html that "all characters should be encoded, except for a specific list of "immune" characters".



I would like to know where and how I can configure this specific list of "immune" characters. Would it be in the ESAPI.properties file?










share|improve this question













I am trying to incorporate the ESAPI encoder with my JavaEE application and want it to not encode a certain set of characters, for example '<', '!', '(', ')'.



I read on the documentation https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html that "all characters should be encoded, except for a specific list of "immune" characters".



I would like to know where and how I can configure this specific list of "immune" characters. Would it be in the ESAPI.properties file?







java java-ee owasp esapi






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 22 at 16:58









Mingxuan He

62




62












  • Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
    – avgvstvs
    Nov 24 at 1:22


















  • Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
    – avgvstvs
    Nov 24 at 1:22
















Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
– avgvstvs
Nov 24 at 1:22




Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
– avgvstvs
Nov 24 at 1:22












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.






share|improve this answer





















  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435475%2fallow-certain-characters-to-be-immune-for-esapi-encoder%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted










The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.






share|improve this answer





















  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19















up vote
1
down vote



accepted










The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.






share|improve this answer





















  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19













up vote
1
down vote



accepted







up vote
1
down vote



accepted






The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.






share|improve this answer












The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 23 at 22:12









Kevin W. Wall

52625




52625












  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19


















  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19
















Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
– Mingxuan He
Nov 25 at 3:19




Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
– Mingxuan He
Nov 25 at 3:19


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435475%2fallow-certain-characters-to-be-immune-for-esapi-encoder%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

What visual should I use to simply compare current year value vs last year in Power BI desktop

How to ignore python UserWarning in pytest?

Alexandru Averescu